Matthew Garrett ([personal profile] mjg59) wrote,
@ 2012-06-06 10:32 am UTC
  • Previous Entry
  • Add to Memories
  • Tell someone about this!
  • Next Entry
Entry tags:advogato, fedora
Why not just avoid the entire Secure Boot problem by using Coreboot? Because the reason we have the Secure Boot problem is because Microsoft's Windows 8 certification requirements mean vendors have to ship a UEFI implementation with Secure Boot. You could satisfy that by using Coreboot with a Tiano payload, but it'll still have Secure Boot enabled so you still have the same set of problems. But maybe you could just reflash your system with Coreboot? No, because another part of the requirements states that all firmware updates have to be cryptographically signed now. The only way to reflash will be to attach a flash programmer directly to your motherboard.

So why not just use Coreboot? Because it doesn't help solve this problem in any way.

(Read 43 comments) - (Post a new comment)
(Flat) (Top-level comments only)

Re: UEFI key management application


(Anonymous)
2012-06-11 06:11 pm UTC (link)
Instead of the Linux Foundation, perhaps the organization could be CAcert? I would think it would be a matter of persuading the OEMs to include the CAcert root keys in the default list. CAcert is a non-profit certificate authority that uses a worldwide web-of-trust model to verify identities. You can sign up as a community member for free, have your identity verified by their assurers at no cost, and then sign all the distros you want.

(Reply to this)  (Thread from start)  (Parent)  (Thread


Re: UEFI key management application


[personal profile] mjg59
2012-06-11 10:34 pm UTC (link)
CACert still haven't passed an external audit. It's also not just about identity verification - you need someone to handle revocation.

(Reply to this)  (Thread from start)  (Parent


(Read 43 comments) - (Post a new comment)
(Flat) (Top-level comments only)